Skip to content

ci: bump actions/* off Node 20 runner ahead of 2026-09-16 removal #19

Description

@alikahwaji

Summary

GitHub Actions is removing Node 20 from runners on 2026-09-16 and will force Node 24 as the default on 2026-06-02. Every run currently emits this annotation on actions/checkout@v4, actions/setup-node@v4, actions/upload-artifact@v4, actions/download-artifact@v4, and peaceiris/actions-gh-pages@v4:

Node.js 20 actions are deprecated. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026.

Observed on run 24216899512 (commit 0493999).

Scope

22 action pins across 4 workflow files:

File Action Count
.github/workflows/ci.yml actions/checkout@v4 4
.github/workflows/ci.yml actions/setup-node@v4 3
.github/workflows/ci.yml actions/upload-artifact@v4 4
.github/workflows/ci.yml actions/download-artifact@v4 2
.github/workflows/ci.yml peaceiris/actions-gh-pages@v4 1
.github/workflows/lighthouse.yml actions/checkout@v4 1
.github/workflows/lighthouse.yml actions/setup-node@v4 1
.github/workflows/lighthouse.yml actions/upload-artifact@v4 1
.github/workflows/release.yml actions/checkout@v4 1
.github/workflows/release.yml actions/setup-node@v4 1
.github/workflows/security.yml actions/checkout@v4 3
.github/workflows/security.yml actions/setup-node@v4 1
.github/workflows/security.yml actions/upload-artifact@v4 1

(Plus trufflesecurity/trufflehog@v3.94.3 in security.yml — already pinned to a SHA-equivalent tag, just needs a version check.)

Fix strategy

  1. Preferred: bump each action to the latest major that ships with Node 24. As of filing, actions/checkout@v5, actions/setup-node@v5, actions/upload-artifact@v5, actions/download-artifact@v5 are all published with Node 24 support. Verify on the marketplace before bumping.
  2. Fallback (if a newer major isn't available or introduces breaking changes): set `env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true` at the workflow level to opt into Node 24 on the current `@v4` tag without a version bump. This is a reversible short-term bridge.
  3. Do not rely on `ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true` — per GitHub's deprecation notice that's a temporary post-forcing opt-out, not a long-term fix.

Acceptance criteria

  • No Node 20 deprecation annotations on any workflow run
  • All 4 workflows (ci.yml, lighthouse.yml, release.yml, security.yml) pass on a push to main
  • deploy still succeeds (peaceiris/actions-gh-pages@v4 is the highest-risk pin — verify the gh-pages push works end-to-end)
  • trufflehog scan still runs in security.yml (the pinned tag is independent of this deprecation but worth a sanity check)

Priority

Low/medium. Deadline is 2026-09-16 (~5 months out from today). No rush, but it's a one-afternoon PR and ideal to ship before the 2026-06-02 forcing date so we don't learn about breakage via a surprise red run.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions